Using Kerberos S4U extensions (introduced in Java

It's been a while since I coded in Java, so I may be missing something obvious. I want to connect to the database (I need to support many - SQL Server, MySQL, etc.) via JDBC. However, I want to use Microsoft S4U Java extension support that was added in Java 8 to achieve Kerberos delegation. I do not want the user to have to enter their credentials on my middle-tier server. I would like to use S4U to get a ticket for my middle-tier server on the user's behalf and use that to invoke the JDBC code via the doAs functions (Subject.doAs or doAsPrivileged).

I have added support for protocol transition and constrained delegation on Windows using C++ and ODBC. But I don't know how to do the same with Java. The S4U documentation on Java is sparse. This page seems to contain the most information - http://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/jgss-features.html. The page says "A new public method (GSSCredential::impersonate) has been added to the com.sun.security.jgss package to implement these extensions." Based on http://docs.oracle.com/javase/7/docs/technotes/guides/security/jgss/single-signon.html, I was thinking that I need to use the classes LoginContext and Subject to invoke a doAs on a JDBC connection call so that the connection goes through under the Subject's credentials. But how do I use GSSCredential::impersonate in the mix?

Thanks, Ed

This is the code I arrived at after a lot of spelunking online:

   GSSManager manager = GSSManager.getInstance();
   GSSCredential self  = manager.createCredential(GSSCredential.INITIATE_ONLY);
   GSSName user = manager.createName("myuser", GSSName.NT_USER_NAME);
   GSSCredential impCred = ((ExtendedGSSCredential)self).impersonate(user);

   Subject mySubject = new Subject();
   mySubject.getPrivateCredentials().add(impCred);
   PrivilegedAction action = new ClientAction();
   Subject.doAs(mySubject, action);

I now get "GSSException: Failure unspecified at GSS-API level (Mechanism level: Attempt to obtain S4U2self credentials failed!)" on the impersonate call, which I am still investigating.